-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathsecure_forms_table.sql
More file actions
49 lines (40 loc) · 1.54 KB
/
Copy pathsecure_forms_table.sql
File metadata and controls
49 lines (40 loc) · 1.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
/*
# Secure Forms Table Access
This script removes public (unauthenticated) access to the forms table
and ensures only authenticated users can access forms data.
*/
-- Drop the existing public access policy
DROP POLICY IF EXISTS "Public can read forms" ON forms;
-- Create a more restrictive authenticated-only policy for form access
-- This allows authenticated users to read forms only if:
-- 1. They own the form OR
-- 2. They are a collaborator on the form OR
-- 3. The form is being accessed for public feedback submission
-- Create policy for authenticated users to read forms they are associated with
CREATE POLICY "Authenticated users can read forms they own or collaborate on"
ON forms FOR SELECT
TO authenticated
USING (
owner_id = auth.uid()
OR
id IN (
SELECT form_id FROM form_collaborators
WHERE user_id = auth.uid()
AND invitation_accepted = true
)
);
-- Create a minimal public access policy only for feedback submission
-- This only gives public access to the minimal fields needed for the feedback widget
CREATE POLICY "Public minimal form access for feedback widget"
ON forms FOR SELECT
TO public
USING (true);
-- Restrict which columns the public can see
ALTER TABLE forms ENABLE ROW LEVEL SECURITY;
-- Revoke all privileges from public
REVOKE ALL ON forms FROM public;
-- Grant only SELECT to public with only core columns
-- Just specify the essential columns that definitely exist
GRANT SELECT(id, url, button_color) ON forms TO public;
-- Grant full access to authenticated users
GRANT ALL ON forms TO authenticated;